Malware Analysis Report

2025-06-16 03:47

Sample ID 220826-gqbavagcdr
Target a18b2b6648a6e116fb85974ed5b174eb.exe
SHA256 7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b
Tags
eternity clipper collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f69f2fe22dfaa47d7fdb7dd3a78b6feae38ea490dc2b81b7d044cd64836429b

Threat Level: Known bad

The file a18b2b6648a6e116fb85974ed5b174eb.exe was found to be: Known bad.

Malicious Activity Summary

eternity clipper collection spyware stealer

Eternity

Detects Eternity clipper

Executes dropped EXE

Reads user/profile data of web browsers

Checks computer location settings

Loads dropped DLL

Looks up external IP address via web service

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

outlook_office_path

Checks processor information in registry

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

outlook_win_path

Runs ping.exe

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-08-26 06:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-08-26 06:00

Reported

2022-08-26 06:03

Platform

win7-20220812-en

Max time kernel

206s

Max time network

210s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe"

Signatures

Detects Eternity clipper

clipper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Eternity

eternity

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clipper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Clipper.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 304 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe
PID 304 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe
PID 304 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe
PID 304 wrote to memory of 808 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe
PID 304 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Clipper.exe
PID 304 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Clipper.exe
PID 304 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Clipper.exe
PID 304 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Clipper.exe
PID 808 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\system32\cmd.exe
PID 808 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\system32\cmd.exe
PID 808 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\system32\cmd.exe
PID 1968 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1968 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1968 wrote to memory of 1484 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 1968 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1968 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1968 wrote to memory of 468 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 1968 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1968 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1968 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 808 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe
PID 808 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe
PID 808 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe
PID 808 wrote to memory of 1836 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe
PID 808 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\System32\cmd.exe
PID 808 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\System32\cmd.exe
PID 808 wrote to memory of 1748 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\System32\cmd.exe
PID 1748 wrote to memory of 1428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1748 wrote to memory of 1428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1748 wrote to memory of 1428 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 1748 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1748 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1748 wrote to memory of 2008 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2292972927-2705560509-2768824231-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe

"C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe"

C:\Users\Admin\AppData\Local\Temp\Stealer.exe

"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"

C:\Users\Admin\AppData\Local\Temp\Clipper.exe

"C:\Users\Admin\AppData\Local\Temp\Clipper.exe"

C:\Windows\system32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe

"C:\Users\Admin\AppData\Local\Temp\Tor\Tor.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet udp
US 198.251.83.154:80 rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 t.me udp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
N/A 127.0.0.1:49213 tcp
US 185.159.70.47:46031 tcp
BG 31.13.195.248:443 tcp
FR 178.20.55.18:443 tcp
NO 185.90.61.218:443 tcp
PL 95.214.53.221:443 tcp
FI 65.109.33.23:9001 tcp
DE 212.83.43.13:443 tcp
DE 212.83.43.13:443 tcp
PL 95.214.53.221:443 tcp
N/A 127.0.0.1:9050 tcp

Files

memory/304-54-0x00000000005F8000-0x0000000000657000-memory.dmp

memory/304-55-0x00000000005F8000-0x0000000000657000-memory.dmp

memory/304-56-0x0000000000220000-0x000000000028C000-memory.dmp

memory/304-57-0x0000000000400000-0x00000000004E6000-memory.dmp

memory/304-58-0x00000000047F0000-0x0000000004868000-memory.dmp

memory/304-59-0x00000000049B0000-0x0000000004A26000-memory.dmp

memory/304-60-0x0000000074C91000-0x0000000074C93000-memory.dmp

\Users\Admin\AppData\Local\Temp\Stealer.exe

MD5 d1cdefb0ed7a84fdb2aba99ec065d2e2
SHA1 9cad12bc5214a118e72424b6d7799d362383f8f5
SHA256 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e
SHA512 a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e

memory/808-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Stealer.exe

MD5 d1cdefb0ed7a84fdb2aba99ec065d2e2
SHA1 9cad12bc5214a118e72424b6d7799d362383f8f5
SHA256 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e
SHA512 a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e

C:\Users\Admin\AppData\Local\Temp\Stealer.exe

MD5 d1cdefb0ed7a84fdb2aba99ec065d2e2
SHA1 9cad12bc5214a118e72424b6d7799d362383f8f5
SHA256 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e
SHA512 a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e

memory/304-65-0x00000000005F8000-0x0000000000657000-memory.dmp

\Users\Admin\AppData\Local\Temp\Clipper.exe

MD5 8ca91deb0b495906ddcb1baf997dedf7
SHA1 cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4
SHA256 bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890
SHA512 b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec

memory/1160-67-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Clipper.exe

MD5 8ca91deb0b495906ddcb1baf997dedf7
SHA1 cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4
SHA256 bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890
SHA512 b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec

C:\Users\Admin\AppData\Local\Temp\Clipper.exe

MD5 8ca91deb0b495906ddcb1baf997dedf7
SHA1 cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4
SHA256 bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890
SHA512 b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec

memory/304-71-0x0000000000400000-0x00000000004E6000-memory.dmp

memory/304-70-0x00000000005F8000-0x0000000000657000-memory.dmp

memory/1160-72-0x0000000000CD0000-0x0000000000CE0000-memory.dmp

memory/808-74-0x0000000000FC0000-0x000000000101A000-memory.dmp

memory/1968-75-0x0000000000000000-mapping.dmp

memory/1484-76-0x0000000000000000-mapping.dmp

memory/468-77-0x0000000000000000-mapping.dmp

memory/824-78-0x0000000000000000-mapping.dmp

memory/468-79-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tor\tor.exe

MD5 67ab12cf6cabc14588e4f51b21c2134a
SHA1 32a4ff564f38bf4b62007e419f19c991e60d6e14
SHA256 f0aaae0364306bb7a4681d01935c96c2ac76b3576b7982990f86bcaf811a45ba
SHA512 2a1c67e9d23d6b050e35c5a8e159309cf598095239406c60a9f721fddc912e21afab7036cbd9f77197cc4241df5f8fa6aa9d7294762659178c6edeb4699d5bec

memory/1836-80-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Tor\libevent-2-1-7.dll

MD5 a3bf8e33948d94d490d4613441685eee
SHA1 75ed7f6e2855a497f45b15270c3ad4aed6ad02e2
SHA256 91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585
SHA512 c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

\Users\Admin\AppData\Local\Temp\Tor\libevent-2-1-7.dll

MD5 a3bf8e33948d94d490d4613441685eee
SHA1 75ed7f6e2855a497f45b15270c3ad4aed6ad02e2
SHA256 91c812a33871e40b264761f1418e37ebfeb750fe61ca00cbcbe9f3769a8bf585
SHA512 c20ef2efcacb5f8c7e2464de7fde68bf610ab2e0608ff4daed9bf676996375db99bee7e3f26c5bd6cca63f9b2d889ed5460ec25004130887cd1a90b892be2b28

C:\Users\Admin\AppData\Local\Temp\Tor\libssp-0.dll

MD5 b77328da7cead5f4623748a70727860d
SHA1 13b33722c55cca14025b90060e3227db57bf5327
SHA256 46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7
SHA512 2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

C:\Users\Admin\AppData\Local\Temp\Tor\libgcc_s_sjlj-1.dll

MD5 bd40ff3d0ce8d338a1fe4501cd8e9a09
SHA1 3aae8c33bf0ec9adf5fbf8a361445969de409b49
SHA256 ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c
SHA512 404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

\Users\Admin\AppData\Local\Temp\Tor\libssp-0.dll

MD5 b77328da7cead5f4623748a70727860d
SHA1 13b33722c55cca14025b90060e3227db57bf5327
SHA256 46541d9e28c18bc11267630920b97c42f104c258b55e2f62e4a02bcd5f03e0e7
SHA512 2f1bd13357078454203092ed5ddc23a8baa5e64202fba1e4f98eacf1c3c184616e527468a96ff36d98b9324426dddfa20b62b38cf95c6f5c0dc32513ebace9e2

\Users\Admin\AppData\Local\Temp\Tor\libgcc_s_sjlj-1.dll

MD5 bd40ff3d0ce8d338a1fe4501cd8e9a09
SHA1 3aae8c33bf0ec9adf5fbf8a361445969de409b49
SHA256 ebda776a2a353f8f0690b1c7706b0cdaff3d23e1618515d45e451fc19440501c
SHA512 404fb3c107006b832b8e900f6e27873324cd0a7946cdccf4ffeea365a725892d929e8b160379af9782bcd6cfeb4c3c805740e21280b42bb2ce8f39f26792e5a1

C:\Users\Admin\AppData\Local\Temp\Tor\libwinpthread-1.dll

MD5 19d7cc4377f3c09d97c6da06fbabc7dc
SHA1 3a3ba8f397fb95ed5df22896b2c53a326662fcc9
SHA256 228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d
SHA512 23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

\Users\Admin\AppData\Local\Temp\Tor\libwinpthread-1.dll

MD5 19d7cc4377f3c09d97c6da06fbabc7dc
SHA1 3a3ba8f397fb95ed5df22896b2c53a326662fcc9
SHA256 228fcfe9ed0574b8da32dd26eaf2f5dbaef0e1bd2535cb9b1635212ccdcbf84d
SHA512 23711285352cdec6815b5dd6e295ec50568fab7614706bc8d5328a4a0b62991c54b16126ed9e522471d2367b6f32fa35feb41bfa77b3402680d9a69f53962a4a

C:\Users\Admin\AppData\Local\Temp\Tor\libcrypto-1_1.dll

MD5 3406f79392c47a72bed2f0067b3ce466
SHA1 a8e2940d61fc840441c4e2a835959d197929ffdf
SHA256 e4b6b2ca32b1e2ba26959ec7380c4f117418d3a724f60494ff3cb81505fbf43d
SHA512 930d794aa8715dcd23fafbead7fe2ec95d2863783b4c52279870cad93d5b6cf02ba8a13e2653d2bf731e9882bf63f43a7e44788ce47505346be3fe8e8b872fa4

C:\Users\Admin\AppData\Local\Temp\Tor\libssl-1_1.dll

MD5 9e3d55fbf890c6cbffd836f2aef4ba31
SHA1 715890ba3bda3431470cca4f4bc492c0f63fa138
SHA256 e6f4cf41373e8770c670cf5e85461f25385314ed9d8a2b37381bc84f5c0dd5c0
SHA512 9848f28fd96c21dd054cbf3e722e56373696c1f7803c137afc7c7203325d9738fa6b984d95cd49ff78a6d95c8f9406f869af3c3783901da3cc003e2b09497d65

\Users\Admin\AppData\Local\Temp\Tor\libcrypto-1_1.dll

MD5 3406f79392c47a72bed2f0067b3ce466
SHA1 a8e2940d61fc840441c4e2a835959d197929ffdf
SHA256 e4b6b2ca32b1e2ba26959ec7380c4f117418d3a724f60494ff3cb81505fbf43d
SHA512 930d794aa8715dcd23fafbead7fe2ec95d2863783b4c52279870cad93d5b6cf02ba8a13e2653d2bf731e9882bf63f43a7e44788ce47505346be3fe8e8b872fa4

\Users\Admin\AppData\Local\Temp\Tor\zlib1.dll

MD5 6f98da9e33cd6f3dd60950413d3638ac
SHA1 e630bdf8cebc165aa81464ff20c1d55272d05675
SHA256 219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773
SHA512 2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

\Users\Admin\AppData\Local\Temp\Tor\libssl-1_1.dll

MD5 9e3d55fbf890c6cbffd836f2aef4ba31
SHA1 715890ba3bda3431470cca4f4bc492c0f63fa138
SHA256 e6f4cf41373e8770c670cf5e85461f25385314ed9d8a2b37381bc84f5c0dd5c0
SHA512 9848f28fd96c21dd054cbf3e722e56373696c1f7803c137afc7c7203325d9738fa6b984d95cd49ff78a6d95c8f9406f869af3c3783901da3cc003e2b09497d65

C:\Users\Admin\AppData\Local\Temp\Tor\zlib1.dll

MD5 6f98da9e33cd6f3dd60950413d3638ac
SHA1 e630bdf8cebc165aa81464ff20c1d55272d05675
SHA256 219d9d5bf0de4c2251439c89dd5f2959ee582e7f9f7d5ff66a29c88753a3a773
SHA512 2983faaf7f47a8f79a38122aa617e65e7deddd19ba9a98b62acf17b48e5308099b852f21aaf8ca6fe11e2cc76c36eed7ffa3307877d4e67b1659fe6e4475205c

memory/1836-97-0x000000006F620000-0x000000006F71B000-memory.dmp

memory/1836-98-0x0000000073370000-0x0000000073396000-memory.dmp

memory/1836-99-0x0000000001020000-0x0000000001433000-memory.dmp

memory/1836-100-0x000000006F620000-0x000000006F71B000-memory.dmp

memory/1836-101-0x000000006F180000-0x000000006F475000-memory.dmp

memory/1836-103-0x0000000073370000-0x0000000073396000-memory.dmp

memory/1836-102-0x000000006F090000-0x000000006F176000-memory.dmp

memory/1836-104-0x0000000001020000-0x0000000001433000-memory.dmp

memory/1836-105-0x0000000001020000-0x0000000001433000-memory.dmp

memory/1836-106-0x0000000001020000-0x0000000001433000-memory.dmp

memory/1748-107-0x0000000000000000-mapping.dmp

memory/1428-108-0x0000000000000000-mapping.dmp

memory/2008-109-0x0000000000000000-mapping.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-08-26 06:00

Reported

2022-08-26 06:04

Platform

win10v2004-20220812-en

Max time kernel

233s

Max time network

241s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe"

Signatures

Detects Eternity clipper

clipper
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Eternity

eternity

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clipper.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Clipper.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Clipper.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe
PID 1664 wrote to memory of 4728 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Stealer.exe
PID 1664 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Clipper.exe
PID 1664 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Clipper.exe
PID 1664 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe C:\Users\Admin\AppData\Local\Temp\Clipper.exe
PID 4728 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\SYSTEM32\cmd.exe
PID 4728 wrote to memory of 5056 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\SYSTEM32\cmd.exe
PID 5056 wrote to memory of 1860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 5056 wrote to memory of 1860 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 5056 wrote to memory of 3356 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 5056 wrote to memory of 3356 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 5056 wrote to memory of 424 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 5056 wrote to memory of 424 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4728 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\SYSTEM32\cmd.exe
PID 4728 wrote to memory of 432 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\SYSTEM32\cmd.exe
PID 432 wrote to memory of 4628 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 432 wrote to memory of 4628 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\chcp.com
PID 432 wrote to memory of 4328 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 432 wrote to memory of 4328 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\netsh.exe
PID 432 wrote to memory of 4004 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 432 wrote to memory of 4004 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\findstr.exe
PID 4728 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\System32\cmd.exe
PID 4728 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\System32\cmd.exe
PID 4728 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\System32\cmd.exe
PID 4728 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\Stealer.exe C:\Windows\System32\cmd.exe
PID 5100 wrote to memory of 2164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 5100 wrote to memory of 2164 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4084 wrote to memory of 2208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4084 wrote to memory of 2208 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\chcp.com
PID 4084 wrote to memory of 4684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 4084 wrote to memory of 4684 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 5100 wrote to memory of 1292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 5100 wrote to memory of 1292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\Stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe

"C:\Users\Admin\AppData\Local\Temp\a18b2b6648a6e116fb85974ed5b174eb.exe"

C:\Users\Admin\AppData\Local\Temp\Stealer.exe

"C:\Users\Admin\AppData\Local\Temp\Stealer.exe"

C:\Users\Admin\AppData\Local\Temp\Clipper.exe

"C:\Users\Admin\AppData\Local\Temp\Clipper.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 1408

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile | findstr All

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\findstr.exe

findstr All

C:\Windows\SYSTEM32\cmd.exe

"cmd.exe" /C chcp 65001 && netsh wlan show profile name="65001" key=clear | findstr Key

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\netsh.exe

netsh wlan show profile name="65001" key=clear

C:\Windows\system32\findstr.exe

findstr Key

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C chcp 65001 && ping 127.0.0.1 && DEL /F /S /Q /A "C:\Users\Admin\AppData\Local\Temp\Stealer.exe"

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\chcp.com

chcp 65001

C:\Windows\system32\PING.EXE

ping 127.0.0.1

C:\Windows\system32\PING.EXE

ping 127.0.0.1

Network

Country Destination Domain Proto
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet udp
US 198.251.83.154:80 rlcjba7wduej3xcstcjo577eqgjsjvcjfsw4i23fqvf2y27ylylhmhad.onion.pet tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 106.89.54.20.in-addr.arpa udp

Files

memory/1664-132-0x00000000008F2000-0x0000000000951000-memory.dmp

memory/1664-133-0x00000000005C0000-0x000000000062C000-memory.dmp

memory/1664-134-0x0000000000400000-0x00000000004E6000-memory.dmp

memory/1664-135-0x0000000004E10000-0x00000000053B4000-memory.dmp

memory/4728-136-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Stealer.exe

MD5 d1cdefb0ed7a84fdb2aba99ec065d2e2
SHA1 9cad12bc5214a118e72424b6d7799d362383f8f5
SHA256 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e
SHA512 a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e

C:\Users\Admin\AppData\Local\Temp\Stealer.exe

MD5 d1cdefb0ed7a84fdb2aba99ec065d2e2
SHA1 9cad12bc5214a118e72424b6d7799d362383f8f5
SHA256 80b855a33f26827638ffe23996eab1ee83c1582c207c9c76ed7b94856040268e
SHA512 a92a29a92e3835b5a9d4325227239b14b18f9e493645d7598178f6f195b28511996bbc615b461b369f1d070cddff1732fd4d1adc8ce646c2aac5e429756a1b3e

memory/4728-139-0x00000243F4CB0000-0x00000243F4D0A000-memory.dmp

memory/4728-140-0x00007FFE80990000-0x00007FFE81451000-memory.dmp

memory/2180-141-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Clipper.exe

MD5 8ca91deb0b495906ddcb1baf997dedf7
SHA1 cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4
SHA256 bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890
SHA512 b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec

C:\Users\Admin\AppData\Local\Temp\Clipper.exe

MD5 8ca91deb0b495906ddcb1baf997dedf7
SHA1 cdfe17d5ab94cfc7ed67b1ece1013e74be060ef4
SHA256 bcb1c93cfd5eae7f95a20b426bec5b7151734a4eba469a1caaf6b8cb665b9890
SHA512 b76b633fe9f1ae3f196541b41bcb8ff8d63865b6285c3a3672dc9141269df3d0dde7dc83589d7f69936d772f74a340be6141d30d22b3522c72c1a91b8be1ddec

memory/2180-144-0x0000000000820000-0x0000000000830000-memory.dmp

memory/2180-145-0x00000000060C0000-0x0000000006152000-memory.dmp

memory/1664-146-0x00000000008F2000-0x0000000000951000-memory.dmp

memory/1664-147-0x0000000000400000-0x00000000004E6000-memory.dmp

memory/2180-148-0x0000000006740000-0x000000000674A000-memory.dmp

memory/4728-149-0x00007FFE80990000-0x00007FFE81451000-memory.dmp

memory/5056-150-0x0000000000000000-mapping.dmp

memory/4728-151-0x00000243F8540000-0x00000243F8590000-memory.dmp

memory/1860-152-0x0000000000000000-mapping.dmp

memory/3356-153-0x0000000000000000-mapping.dmp

memory/424-154-0x0000000000000000-mapping.dmp

memory/432-155-0x0000000000000000-mapping.dmp

memory/4628-156-0x0000000000000000-mapping.dmp

memory/4328-157-0x0000000000000000-mapping.dmp

memory/4004-158-0x0000000000000000-mapping.dmp

memory/5100-159-0x0000000000000000-mapping.dmp

memory/4084-160-0x0000000000000000-mapping.dmp

memory/2164-161-0x0000000000000000-mapping.dmp

memory/2208-162-0x0000000000000000-mapping.dmp

memory/4684-163-0x0000000000000000-mapping.dmp

memory/1292-164-0x0000000000000000-mapping.dmp

memory/4728-165-0x00007FFE80990000-0x00007FFE81451000-memory.dmp